James Wilkinson wrote:
Todd Zullinger wrote:
If you use sudo, you don't have to give the user the root password,
you just edit the /etc/sudoers file to allow them to run the
particular command(s) you want and they enter their own password to
run them.
Note: depending on what the program is, this may be equivalent to giving
users the root password. In particular, if there is any way to "shell
out" from the program, or run an external editor, then the user can end
up with a root shell.
I'm also concerned about the man-page paragraph:
To prevent command spoofing, sudo checks "." and "" (both
denoting current directory) last when searching for a command in
the user’s PATH (if one or both are in the PATH). Note, however,
that the actual PATH environment variable is not modified and is
passed unchanged to the program that sudo executes.
I read this as saying that *if* a program runs another program merely by
name (e.g. "hostname" rather than "/bin/hostname"), then a malicious
user could place a symlink to bash from ./hostname, change the PATH
appropriately, and sudo the first program.
In general, simple text-mode programs are OK, complex graphical ones may
well have holes.
James.
In the case in question the user tunes pianos and keeps about 5000
customer names and related information in this computer standing in a
corner
of his home office where no one other than himself gets near it! Security
is not a consideration here. He has been using a DOS program for years
which I suspect
offers little security if any but which has been crippled since year
2000 arrived.
I have moved his accounts into mysql which took considerable effort on
my part.
Now all I want is to create a user situation where he is unlikely to
damage the
system inadvertently.
I am working at it but I keep running into glitches where stuff works in
a terminal
window as user but won't wok with the scripts I created to enable him to
start things
from xfce task bar icons. But like everything else I do I will
eventually muddle through.
I find the stuff received on this mailing list both interesting and
invaluable.
Thank you all.
Bob Goodwin Zuni, Virginia